Cache Timings Allow Browser History Extraction

(LiveHacking.Com) – Security Researcher and author of the book “The Tangled Web” Michal Zalewski has created a proof of concept web page which can extract browser history (without relying on browser quirks) using a non-destructive cache timings inspection method. A visit to the “cachetime” web page (after you give your permission) runs the script to reveal which of the top Internet sites you have visited including Facebook, YouTube and Amazon.com.

While this code is still somewhat crude and fails for a small percentage of visitors, it appears that repeated high-performance cache sniffing is a viable possibility. The approach should allow several hundred URLs to be tested per second without disrupting the cache or causing other side effects.

Over the past two years the major browsers changed the way the CSS :visited selectors work in order to prevent websites from stealing your browsing history.

Attacks on the cache timings, although theoretically possible, have until now been deemed infeasible as they relied on destructive, one-shot testing that alters the state of the examined cache. However Zalewski’s proof of concept offers non-destructive cache inspection.

While this code is still somewhat crude and fails for a small percentage of visitors, it appears that repeated high-performance cache sniffing is a viable possibility. The approach should allow several hundred URLs to be tested per second without disrupting the cache or causing other side effects.

Michal has released the source code which outlines the algorithm in more detail.